GSA sets road map for authentication gateway

OMB's Jeanette Thornton says guidance on the gateway will be out in a few months.

Henrik G. DeGyor

In about a year's time, a citizen or government user will sign on just once at the FirstGov portal to conduct many types of online transactions with different agencies.

The E-Authentication Gateway at FirstGov took shape this month in a General Services Administration request for information. The RFI calls for vendor responses by Aug. 8, a working prototype in October and a production system by September of next year.

Jeanette Thornton, the Office of Management and Budget's portfolio manager for the project, said policy guidance for agencies will be available by the fall.

The authentication gateway initially will serve only OMB's 24 e-government initiatives, but the RFI specifies a scalable, 'technology-agnostic' infrastructure adaptable to e-government processes of any agency that wants to participate. The interface must be the same for all processes.

The gateway must be capable of validating many types of authentication credentials'not merely government-issued certificates'and of distinguishing the trust levels required by agencies' various applications.

GSA itself will maintain an authorization system for the various sets of agency rules, but it will contract with one or more service providers to build and maintain the gateway.

No personal data

The RFI said the gateway must 'be able to communicate via the many disparate protocols required by commercial and legacy validation responders and services.' To safeguard privacy, the gateway itself will not collect any personal information.

Each participating agency must establish administrative, technical and physical protections for the personal information gathered by its applications, and it must tell individuals in writing how such information is used. It must also manage all the permissions and access controls for its own systems.

A user who tries to conduct transactions without having a credential will be directed to a third-party provider.

Credentials can include permanent passwords, one-time passwords, personal identification numbers, X.509 Version 3 digital certificates and smart cards. Once the gateway has accepted a credential, the user does not have to re-authenticate to move on to other applications at the same assurance level.

The gateway will grant four types of admission:

An anonymous ticket, like a movie ticket

A pass, similar to an airline ticket, containing the user's full credential

A partial pass that the agency application can use to request more information before doing business with the user

A voucher, or database index, to obtain even more information about the user.